Overview
The GamersFirst Anti-Cheat (GFAC) driver GFAC.sys contains multiple local privilege escalations and denial-of-service vulnerabilities stemming from insecure handling of user-controlled input through a minifilter communication port. A local attacker can abuse these flaws to perform arbitrary kernel memory writes, obtain privilege escalation to SYSTEM, or trigger a system crash.
Description
GFAC is a proprietary anti-cheat software developed by video game publisher Little Orbit. GFAC includes a kernel-mode driver, GFAC_Sys_x64.sys, that exposes privileged functionality to user-mode applications through a minifilter communication port. Although these low-level interfaces are necessary for the software's operation, vulnerabilities can arise if user-mode access is not properly restricted and validated.
CVE-2026-12166 GFAC_Sys_x64.sys contains a NULL pointer dereference condition in its initialization and request handling logic. A local attacker can trigger the vulnerable code path, causing the driver to read or write to a memory address assigned as NULL. Successful exploitation results in a system crash (“blue screen of death”).
CVE-2026-12167 The minifilter communication port that GFAC_Sys_x64.sys exposes does not enforce sufficiently restrictive security descriptors. As a result, low-privileged users can establish connections to the driver and access functions intended only for trusted processes. [RM1.1][MB1.2][RM1.3]User access to privileged functions could help an attacker take advantage of other weaknesses in the driver.
CVE-2026-12168 GFAC_Sys_x64.sys processes messages received through a minifilter communication port without properly validating user-supplied memory addresses before performing write operations. An attacker can provide a crafted request containing a desired destination address and data value, causing the driver to write arbitrary data to kernel memory. This write-what-where condition can be leveraged to modify sensitive operating system structures, such as process security tokens, resulting in privilege escalation to SYSTEM.
Impact
Multiple vulnerabilities in the driver may allow local attackers to crash the system, escalate privileges to SYSTEM, or execute unauthorized code. Due to insufficient access controls, privileged driver functionality is exposed to untrusted users, increasing the likelihood and impact of exploitation.
Solution
Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. Users should restrict local access to trusted users and monitor systems for unauthorized interactions with GFAC. Where available, games that utilize GFAC should be disabled or removed until an update is available to address the identified vulnerabilities.
Acknowledgements
Thanks to Lucian Alexandru Necula for identifying and disclosing these vulnerabilities. This document was written by Michael Bragg.
Vendor Information
Other Information
| CVE IDs: | CVE-2026-12166 CVE-2026-12167 CVE-2026-12168 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2026-07-02 |
| Date First Published: | 2026-07-02 |
| Date Last Updated: | 2026-07-02 15:07 UTC |
| Document Revision: | 4 |